Last Updated: December 30, 2025
1.1. This Privacy Policy (hereinafter referred to as the Policy) defines the procedure for processing personal data of users of the website https://guitarsongs.club (hereinafter referred to as the Website) and the mobile application Guitar Songs (hereinafter referred to as the Application), developed and managed by Aleksandr Suslov (hereinafter referred to as the Operator).
1.2. This Policy has been developed in accordance with:
- Federal Law No. 152-FZ of July 27, 2006 "On Personal Data" (Russian Federation);
- General Data Protection Regulation (GDPR) of the European Union (Regulation (EU) 2016/679);
- Other applicable legal acts of the Russian Federation and international agreements.
1.3. Use of the Website and/or Application constitutes the user's unconditional consent to this Policy and the terms of processing of their personal data specified herein. If you disagree with these terms, you should refrain from using the Website and Application.
1.4. This Policy applies only to the Website and Application. The Operator does not control and is not responsible for third-party websites that the user may access through links available on the Website or in the Application.
2.1. Personal Data — any information relating to a directly or indirectly identified or identifiable natural person (data subject).
2.2. Processing of Personal Data — any action (operation) or set of actions (operations) performed with or without the use of automation tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.
2.3. Operator — a natural person who, independently or jointly with other persons, organizes and/or carries out the processing of personal data, and also determines the purposes of personal data processing, the composition of personal data to be processed, and actions (operations) performed with personal data.
2.4. Confidentiality of Personal Data — a requirement binding on the Operator or any other person who has gained access to personal data not to allow their dissemination without the consent of the data subject or the existence of another legal basis.
3.1. The data controller is a natural person:
Full Name: Aleksandr Suslov
Contact Email: guitarsongs.club@gmail.com
3.2. The Operator processes personal data as a natural person without forming a legal entity.
4.1. The Operator processes the following categories of users' personal data:
a) Data provided during authorization via Google OAuth 2.0:
- Username (can be changed by the user in settings);
- Email address (stored exclusively as SHA-256 hash);
- Google user unique identifier.
b) Data collected in the Application:
- Email address (stored locally on the user's device; only the SHA-256 hash is transmitted to the server during synchronization);
- Firebase authentication data (when using email and password sign-in);
- User-generated content (song lyrics with chords);
- Advertising Identifier (Advertising ID) collected through advertising SDKs with user consent obtained through User Messaging Platform (UMP).
c) Technical Data:
- IP address;
- Browser and device information;
- Interaction data with the Website and Application (logs, usage metrics);
- Cookies and similar tracking technologies.
4.2. Purposes of personal data processing:
- Providing access to the features of the Website and Application;
- User authorization and authentication;
- User identification to enable content addition and editing;
- Data synchronization between the Website and Application;
- Providing personalized advertising (with user consent);
- Monetizing the Application through advertising display;
- Improving the functionality and usability of the Website and Application;
- Ensuring security and preventing fraud;
- Compliance with applicable legal requirements.
4.3. The Operator does not process special categories of personal data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, health status, or intimate life.
5.1. The legal bases for processing personal data are:
- Consent of the data subject to the processing of their personal data (Article 6 of Federal Law No. 152-FZ, Article 6(1)(a) GDPR);
- Necessity of processing for the performance of a contract to which the data subject is a party (Article 6(1)(b) GDPR);
- Legitimate interests of the Operator, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject (Article 6(1)(f) GDPR).
5.2. The Operator processes the user's personal data only if at least one of the above grounds exists.
6.1. Personal data collection:
- When authorizing via Google OAuth 2.0, the user provides the Operator with access to their name and email address;
- In the Application, the user can authorize via email through Firebase Authentication or through Google Sign-In (CredentialManager);
- Technical data is collected automatically when using the Website and Application.
6.2. Personal data storage:
- Email addresses are stored on the Operator's servers exclusively as irreversible SHA-256 hashes, which prevents recovery of the original email;
- Usernames are stored in the database in plain text;
- In the Application, the user's email is stored locally on the device;
- User-generated content is stored on the Operator's servers and locally on the user's device;
- The Operator applies organizational and technical measures to protect personal data from unauthorized or accidental access, destruction, modification, blocking, copying, distribution, and other unlawful actions.
6.3. Transfer of personal data to third parties:
The Operator may transfer personal data to the following categories of third parties:
a) Google LLC / Google Ireland Limited:
- When using Google OAuth 2.0 for authorization;
- When using Firebase Authentication;
- When using Google Mobile Ads SDK (Google AdMob) for advertising display (Advertising ID is transmitted with user consent);
- Data transfer is carried out in accordance with Google's Privacy Policy and based on EU Standard Contractual Clauses.
b) Advertising networks and mediation platforms:
The Application uses the following advertising networks and platforms for advertising display:
- Google AdMob (Google LLC / Google Ireland Limited) — primary advertising platform;
- CAS.AI (CleverAdsSolutions) — advertising mediation platform that aggregates multiple advertising networks. CAS.AI may transfer data to the following partners: Google AdMob, Unity Ads, AppLovin, ironSource, Vungle, Chartboost, InMobi, Pangle (TikTok), Meta Audience Network, and other networks depending on mediation settings. A complete list of CAS.AI partners is available at https://cas.ai;
- Yandex Advertising Network (Yandex LLC, Russia) — for displaying advertising to Russian users. Data processing is carried out in accordance with Yandex's Privacy Policy (https://yandex.com/legal/confidential).
The Advertising ID and related technical data are transferred to the specified partners only with explicit user consent obtained through the User Messaging Platform (UMP). Users can withdraw consent for personalized advertising at any time in the Application settings.
c) Government authorities:
- In cases provided by applicable law, personal data may be transferred to authorized government authorities upon their official requests.
6.4. Cross-border data transfer:
- Personal data may be transferred to countries ensuring an adequate level of personal data protection (particularly, EU/EEA countries);
- When transferring data to the USA (Google LLC, some CAS.AI partners), mechanisms approved by European regulators are applied, including Standard Contractual Clauses and, where applicable, the EU-U.S. Data Privacy Framework;
- Data transfer to Russia (Yandex) is carried out in accordance with Russian legislation;
- Data transfer is carried out in accordance with the requirements of Chapter V of the GDPR and Article 12 of Federal Law No. 152-FZ.
6.5. Each of the specified advertising partners has its own privacy policy, which users are encouraged to review:
- Google AdMob: https://policies.google.com/privacy
- CAS.AI: https://cas.ai/privacy-policy-3
- Yandex: https://yandex.com/legal/confidential
7.1. Personal data is processed for the period necessary to achieve the purposes of their processing specified in this Policy.
7.2. Personal data is stored:
- Authentication data (email hash, username) — for the entire period of Website/Application use by the user;
- User-generated content — until deleted by the user or administrator;
- Technical data and logs — up to 12 months from collection;
- Advertising-related data (Advertising ID) — in accordance with advertising partners' policies, but no more than 24 months.
7.3. Upon expiration of the processing periods, personal data shall be deleted or anonymized, except in cases where legislation requires their longer retention.
8.1. In accordance with applicable law, data subjects have the following rights:
a) Right of access: to obtain information about whether their personal data is being processed and, if so, to access such data;
b) Right to rectification: to correct inaccurate or incomplete personal data;
c) Right to erasure ('right to be forgotten'): to request deletion of personal data in cases provided by law;
d) Right to restriction of processing: to request restriction of personal data processing in certain circumstances;
e) Right to object: to object to processing of personal data based on the Operator's legitimate interests;
f) Right to data portability: to receive provided personal data in a structured, commonly used, and machine-readable format and transmit it to another controller (applicable under GDPR);
g) Right to withdraw consent: to withdraw consent to personal data processing at any time, without affecting the lawfulness of processing prior to withdrawal;
h) Right to lodge a complaint: to file a complaint with a supervisory authority (Roskomnadzor in Russia, relevant data protection authority in the EU).
8.2. To exercise their rights, users may submit a request to the Operator at the email address specified in Section 3 of this Policy.
8.3. The Operator undertakes to review the user's request and provide a response within 30 calendar days of receiving the request (or within the period established by applicable law).
8.4. Username can be changed independently in the account settings on the Website or in the Application.
9.1. The Operator takes necessary and sufficient legal, organizational, and technical measures to protect personal data from unauthorized or accidental access, destruction, modification, blocking, copying, distribution, and other unlawful actions.
9.2. Protection measures include:
- Storage of email addresses exclusively as SHA-256 hashes, preventing recovery of original data;
- Use of secure data transmission protocols (HTTPS/TLS);
- Restriction of access to personal data;
- Regular software updates and vulnerability fixes;
- Data backup;
- Use of Firebase Authentication with its built-in security mechanisms;
- Obtaining explicit user consent before collecting Advertising ID through User Messaging Platform (UMP) in accordance with Google requirements and applicable law;
- Monitoring and auditing data access.
9.3. In case of a personal data breach, the Operator undertakes to notify data subjects and supervisory authorities within the timeframes and procedures established by applicable law (no later than 72 hours under GDPR, no later than 24 hours under Russian law for significant incidents).
10.1. The Website uses cookies and similar technologies to ensure functionality, improve user experience, and collect analytical information.
10.2. Types of cookies used:
- Essential cookies — ensure basic functionality of the Website (e.g., maintaining login state);
- Functional cookies — remember user preferences and provide enhanced features;
- Analytical cookies — collect information about how visitors use the Website;
- Advertising cookies — used to display personalized advertising (only with user consent).
10.3. Users can manage cookie settings through their browser settings. Disabling cookies may affect Website functionality.
10.4. The Application uses similar technologies to ensure offline operation and data synchronization.
11.1. The Application uses advertising SDKs (Google AdMob, CAS.AI, Yandex Advertising Network) to display advertising and has permission com.google.android.gms.permission.AD_ID to access the device's Advertising Identifier (Advertising ID).
11.2. Advertising ID is used exclusively to provide personalized advertising and analyze advertising campaign effectiveness.
11.3. Before collecting Advertising ID, the Operator obtains explicit user consent through the User Messaging Platform (UMP) in accordance with Google requirements, GDPR, ePrivacy Directive, and Russian legislation.
11.4. Users have the right to:
- Opt out of personalized advertising in the Application settings;
- Reset Advertising ID in device settings (Android: Settings → Google → Ads → Reset advertising ID);
- Disable personalized advertising at device level (Android: Settings → Google → Ads → Opt out of Ads Personalization).
11.5. Upon withdrawal of consent for personalized advertising, the Application will continue to display non-personalized (contextual) advertising.
11.6. Advertising ID and related data may be transferred to advertising partners specified in Section 6.3(b), in accordance with their privacy policies.
12.1. The Website and Application are not intended for persons under 16 years of age (or other age of digital consent established by applicable law).
12.2. The Operator does not intentionally collect personal data from persons under the specified age.
12.3. If the Operator becomes aware that personal data has been collected from a person under the appropriate age without parental or legal guardian consent, such data will be immediately deleted.
12.4. If you are a parent or legal guardian and believe that your child has provided us with personal data, please contact us using the contact details specified in Section 3.
13.1. The Operator reserves the right to make changes to this Policy. When changes are made, the date of the last update is indicated at the beginning of the document.
13.2. Users will be notified of significant changes to the Policy by posting a notice on the Website and/or in the Application at least 10 days before the changes take effect.
13.3. Continued use of the Website and/or Application after the changes take effect constitutes the user's agreement to the updated Policy.
13.4. It is recommended to regularly check this Policy for changes. The current version of the Policy is always available at: https://guitarsongs.club/privacy_policy_en.html.
14.1. For all questions related to personal data processing, users may contact the Operator:
Email: guitarsongs.club@gmail.com
14.2. For users from the European Union:
If you have questions or complaints regarding the processing of your personal data, you have the right to contact the data protection supervisory authority of your country. The list of EU supervisory authorities is available at https://edpb.europa.eu/about-edpb/board/members_en.
14.3. For users from the Russian Federation:
You have the right to file a complaint with the Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor):
Address: 7 Kitaigorodsky Proezd, Bldg. 2, Moscow, 109074, Russia
Phone: +7 (495) 987-68-00
Website: https://rkn.gov.ru
15.1. This Policy is a public document and is available to all users of the Website and Application.
15.2. This Policy and relations between the user and the Operator arising in connection with the application of the Policy are governed by the laws of the Russian Federation, as well as applicable international law, including GDPR for EU users.
15.3. In the event of disputes between the Operator and the user, the parties will make every effort to resolve them through negotiations. If it is impossible to resolve the dispute pre-trial, disputes are subject to resolution in accordance with the current legislation of the Russian Federation.
15.4. If any provision of this Policy is deemed invalid or unenforceable, this does not invalidate the remaining provisions of the Policy.
15.5. This Policy enters into force upon its posting on the Website and in the Application.